You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2015/08/10 04:37:45 UTC
[jira] [Commented] (HBASE-13425) Documentation nit in REST Gateway
impersonation section
[ https://issues.apache.org/jira/browse/HBASE-13425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14679490#comment-14679490 ]
Hadoop QA commented on HBASE-13425:
-----------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12749497/HBASE-13425.patch
against master branch at commit 5bdb0eb91290e306213bca62cea82c5d1b24d317.
ATTACHMENT ID: 12749497
{color:green}+1 @author{color}. The patch does not contain any @author tags.
{color:green}+0 tests included{color}. The patch appears to be a documentation patch that doesn't require tests.
{color:green}+1 hadoop versions{color}. The patch compiles with all supported hadoop versions (2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.0 2.7.0)
{color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings.
{color:green}+1 protoc{color}. The applied patch does not increase the total number of protoc compiler warnings.
{color:green}+1 javadoc{color}. The javadoc tool did not generate any warning messages.
{color:green}+1 checkstyle{color}. The applied patch does not increase the total number of checkstyle errors
{color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings.
{color:red}-1 lineLengths{color}. The patch introduces the following lines longer than 100:
+ZooKeeper has a pluggable authentication mechanism to enable access from clients using different methods. ZooKeeper even allows authenticated and un-authenticated clients at the same time. The access to znodes can be restricted by providing Access Control Lists (ACLs) per znode. An ACL contains two components, the authentication method and the principal. ACLs are NOT enforced hierarchically. See link:https://zookeeper.apache.org/doc/r3.3.6/zookeeperProgrammers.html#sc_ZooKeeperPluggableAuthentication[ZooKeeper Programmers Guide] for details.
+HBase daemons authenticate to ZooKeeper via SASL and kerberos (See <<zk.sasl.auth>>). HBase sets up the znode ACLs so that only the HBase user and the configured hbase superuser (`hbase.superuser`) can access and modify the data. In cases where ZooKeeper is used for service discovery or sharing state with the client, the znodes created by HBase will also allow anyone (regardless of authentication) to read these znodes (clusterId, master address, meta location, etc), but only the HBase user can modify them.
+All of the data under management is kept under the root directory in the file system (`hbase.rootdir`). Access to the data and WAL files in the filesystem should be restricted so that users cannot bypass the HBase layer, and peek at the underlying data files from the file system. HBase assumes the filesystem used (HDFS or other) enforces permissions hierarchically. If sufficient protection from the file system (both authorization and authentication) is not provided, HBase level authorization control (ACLs, visibility labels, etc) is meaningless since the user can always access the data from the file system.
+In secure mode, SecureBulkLoadEndpoint should be configured and used for properly handing of users files created from MR jobs to the HBase daemons and HBase user. The staging directory in the distributed file system used for bulk load (`hbase.bulkload.staging.dir`, defaults to `/tmp/hbase-staging`) should have (mode 711, or `rwx--x--x`) so that users can access the staging directory created under that parent directory, but cannot do any other operation. See <<hbase.secure.bulkload>> for how to configure SecureBulkLoadEndPoint.
{color:green}+1 site{color}. The mvn post-site goal succeeds with this patch.
{color:red}-1 core tests{color}. The patch failed these unit tests:
{color:red}-1 core zombie tests{color}. There are 3 zombie test(s): at org.apache.hadoop.hbase.client.TestMobRestoreSnapshotFromClient.testRestoreSnapshot(TestMobRestoreSnapshotFromClient.java:157)
at org.apache.hadoop.hbase.client.TestCloneSnapshotFromClient.testCloneSnapshot(TestCloneSnapshotFromClient.java:171)
at org.apache.hadoop.hbase.client.TestCloneSnapshotFromClient.testCloneSnapshot(TestCloneSnapshotFromClient.java:159)
at org.apache.hadoop.hbase.client.TestBlockEvictionFromClient.testParallelGetsAndScanWithWrappedRegionScanner(TestBlockEvictionFromClient.java:749)
Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/15020//testReport/
Release Findbugs (version 2.0.3) warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/15020//artifact/patchprocess/newFindbugsWarnings.html
Checkstyle Errors: https://builds.apache.org/job/PreCommit-HBASE-Build/15020//artifact/patchprocess/checkstyle-aggregate.html
Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/15020//console
This message is automatically generated.
> Documentation nit in REST Gateway impersonation section
> -------------------------------------------------------
>
> Key: HBASE-13425
> URL: https://issues.apache.org/jira/browse/HBASE-13425
> Project: HBase
> Issue Type: Improvement
> Components: documentation
> Affects Versions: 2.0.0
> Reporter: Jeremie Gomez
> Assignee: Misty Stanley-Jones
> Priority: Minor
> Fix For: 2.0.0
>
> Attachments: HBASE-13425.patch
>
>
> In section "55.8. REST Gateway Impersonation Configuration", there is another property that needs to be set (and thus documented).
> After this sentence ("To enable REST gateway impersonation, add the following to the hbase-site.xml file for every REST gateway."), we should add :
> <property>
> <name>hbase.rest.support.proxyuser</name>
> <value>true</value>
> </property>
> It not set, doing a curl call on the rest gateway gives the error "support for proxyuser is not configured".
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)